TPRM Is Worthless?! NY DFS Part 500, Security Negotiation Tips & Mezcal
🎙️ Welcome back to the Distilled Security Podcast - Episode 17!
In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment.
Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi!
🔹 Topics Covered
NY DFS Part 500: Final Requirements Take Effect November 1
The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline.
Negotiating Security
How smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists.
“TPRM Is Worthless”
A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic.
Department of War Announces New Cybersecurity Risk Management Construct
The team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance.
🥃 Spirit Review
One of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration.
Find it here:
https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one
⏱️ Timestamps
0:00 – Introduction & Travel Mishap
6:25 – New Laptop Twins & Backup Strategies
11:35 – NY DFS Part 500 Updates
27:30 – DFS Reporting & Organizational Accountability
33:30 – Negotiating Security Requirements
47:46 – Cultural Nuances in Negotiation
50:20 – Spirit Review: One of Us Mezcal
52:55 – TPRM Is Worthless?
57:50 – Fixing Broken Vendor Risk Workflows
1:08:21 – Vendor Resilience vs. Security
1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct
1:35:06 - BSides Pittsburgh Planning & Sponsorship
1:38:35 - DSP at TRISS
1:39:51 – Closing Remarks & Outro
🎧 Hosts
Justin Leapline – @justinleapline
Joe Wynn – @wynnjoe
Rick Yocum – @rickyocum
🌐 Connect with Us
Website: distilledsecuritypodcast.com
🐦 Twitter: @DisSecPod
📧 Email: hello@distilledsecuritypodcast.com
